From: Cody P Schafer <cody@linux.vnet.ibm.com>
To: Seth Jennings <sjenning@linux.vnet.ibm.com>
Cc: Ric Mason <ric.masonn@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Nitin Gupta <ngupta@vflare.org>, Minchan Kim <minchan@kernel.org>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Dan Magenheimer <dan.magenheimer@oracle.com>,
Robert Jennings <rcj@linux.vnet.ibm.com>,
Jenifer Hopper <jhopper@us.ibm.com>, Mel Gorman <mgorman@suse.de>,
Johannes Weiner <jweiner@redhat.com>,
Rik van Riel <riel@redhat.com>,
Larry Woodman <lwoodman@redhat.com>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Dave Hansen <dave@linux.vnet.ibm.com>,
Joe Perches <joe@perches.com>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
devel@driverdev.osuosl.org
Subject: Re: [PATCHv5 4/8] zswap: add to mm/
Date: Mon, 18 Feb 2013 11:49:24 -0800 [thread overview]
Message-ID: <512285C4.4050809@linux.vnet.ibm.com> (raw)
In-Reply-To: <51227FDA.7040000@linux.vnet.ibm.com>
On 02/18/2013 11:24 AM, Seth Jennings wrote:
> On 02/15/2013 10:04 PM, Ric Mason wrote:
>> On 02/14/2013 02:38 AM, Seth Jennings wrote:
> <snip>
>>> +/* invalidates all pages for the given swap type */
>>> +static void zswap_frontswap_invalidate_area(unsigned type)
>>> +{
>>> + struct zswap_tree *tree = zswap_trees[type];
>>> + struct rb_node *node, *next;
>>> + struct zswap_entry *entry;
>>> +
>>> + if (!tree)
>>> + return;
>>> +
>>> + /* walk the tree and free everything */
>>> + spin_lock(&tree->lock);
>>> + node = rb_first(&tree->rbroot);
>>> + while (node) {
>>> + entry = rb_entry(node, struct zswap_entry, rbnode);
>>> + zs_free(tree->pool, entry->handle);
>>> + next = rb_next(node);
>>> + zswap_entry_cache_free(entry);
>>> + node = next;
>>> + }
>>> + tree->rbroot = RB_ROOT;
>>
>> Why don't need rb_erase for every nodes?
>
> We are freeing the entire tree here. try_to_unuse() in the swapoff
> syscall should have already emptied the tree, but this is here for
> completeness.
>
> rb_erase() will do things like rebalancing the tree; something that
> just wastes time since we are in the process of freeing the whole
> tree. We are holding the tree lock here so we are sure that no one
> else is accessing the tree while it is in this transient broken state.
If we have a sub-tree like:
...
/
A
/ \
B C
B == rb_next(tree)
A == rb_next(B)
C == rb_next(A)
The current code free's A (via zswap_entry_cache_free()) prior to
examining C, and thus rb_next(C) results in a use after free of A.
You can solve this by doing a post-order traversal of the tree, either
a) in the destructive manner used in a number of filesystems, see
fs/ubifs/orphan.c ubifs_add_orphan(), for example.
b) or by doing something similar to this commit:
https://github.com/jmesmon/linux/commit/d9e43aaf9e8a447d6802531d95a1767532339fad
, which I've been using for some yet-to-be-merged code.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2013-02-18 19:50 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-13 18:38 [PATCHv5 0/8] zswap: compressed swap caching Seth Jennings
2013-02-13 18:38 ` [PATCHv5 1/8] zsmalloc: add to mm/ Seth Jennings
2013-02-16 3:26 ` Ric Mason
2013-02-18 19:04 ` Seth Jennings
2013-02-19 9:18 ` Joonsoo Kim
2013-02-19 17:54 ` Seth Jennings
2013-02-19 23:37 ` Minchan Kim
2013-02-22 9:24 ` Joonsoo Kim
2013-02-22 20:04 ` Seth Jennings
2013-02-25 17:05 ` Dan Magenheimer
2013-02-25 19:14 ` Seth Jennings
2013-02-26 0:20 ` Dan Magenheimer
2013-02-20 1:58 ` Nitin Gupta
2013-02-20 2:42 ` Nitin Gupta
2013-02-13 18:38 ` [PATCHv5 2/8] zsmalloc: add documentation Seth Jennings
2013-02-16 6:21 ` Ric Mason
2013-02-18 19:16 ` Seth Jennings
2013-02-21 8:44 ` Ric Mason
2013-02-21 8:49 ` Ric Mason
2013-02-21 15:50 ` Seth Jennings
2013-02-21 16:20 ` Dan Magenheimer
2013-02-22 2:56 ` Ric Mason
2013-02-22 21:02 ` Seth Jennings
2013-02-24 0:37 ` Ric Mason
2013-02-25 15:18 ` Seth Jennings
2013-03-01 6:47 ` Ric Mason
2013-02-22 2:59 ` Ric Mason
2013-02-13 18:38 ` [PATCHv5 3/8] debugfs: add get/set for atomic types Seth Jennings
2013-02-13 18:38 ` [PATCHv5 4/8] zswap: add to mm/ Seth Jennings
2013-02-16 4:04 ` Ric Mason
2013-02-18 19:24 ` Seth Jennings
2013-02-18 19:49 ` Cody P Schafer [this message]
2013-02-18 20:07 ` Seth Jennings
2013-02-18 19:55 ` Dan Magenheimer
2013-02-18 20:39 ` Seth Jennings
2013-02-18 21:59 ` Dan Magenheimer
2013-02-18 22:52 ` Seth Jennings
2013-02-18 23:17 ` Dan Magenheimer
2013-02-20 20:37 ` Seth Jennings
2013-02-13 18:38 ` [PATCHv5 5/8] mm: break up swap_writepage() for frontswap backends Seth Jennings
2013-02-13 18:38 ` [PATCHv5 6/8] mm: allow for outstanding swap writeback accounting Seth Jennings
2013-02-13 18:38 ` [PATCHv5 7/8] zswap: add swap page writeback support Seth Jennings
2013-02-16 6:11 ` Ric Mason
2013-02-18 19:32 ` Seth Jennings
2013-02-25 2:54 ` Minchan Kim
2013-02-25 17:37 ` Seth Jennings
2013-02-13 18:38 ` [PATCHv5 8/8] zswap: add documentation Seth Jennings
2013-02-16 3:20 ` [PATCHv5 0/8] zswap: compressed swap caching Ric Mason
2013-02-18 19:37 ` Seth Jennings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=512285C4.4050809@linux.vnet.ibm.com \
--to=cody@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=benh@kernel.crashing.org \
--cc=dan.magenheimer@oracle.com \
--cc=dave@linux.vnet.ibm.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=jhopper@us.ibm.com \
--cc=joe@perches.com \
--cc=jweiner@redhat.com \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lwoodman@redhat.com \
--cc=mgorman@suse.de \
--cc=minchan@kernel.org \
--cc=ngupta@vflare.org \
--cc=rcj@linux.vnet.ibm.com \
--cc=ric.masonn@gmail.com \
--cc=riel@redhat.com \
--cc=sjenning@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).